The gaping hole allowing email spoofing

In today’s news there was a report that Anthony Scaramucci, the outgoing White House communications director, got “punked” by an email he thought was from Reince Priebus, the former chief of staff and his apparent rival. The messages actually came from a mail.com account.

Although not nearly as consequential, This sort of thing is commonplace. I have gotten several messages claiming to come from Facebook and other social media contacts, but actually from impostors using their names. Presumably the impostors mined the names from social media.

The email industry bears some responsibility for making this possible. Despite the enormous effort put into development and deployment of email authentication and anti-phishing technologies such as SPF, DKIM, and DMARC, there is a gaping hole: it isn’t readily possible to distinguish a message from someone at their expected email address from a message posing as them from a different email address entirely.

Email clients used to routinely display the email address as well as the “friendly name” when they displayed a message. They used to typically display:

From: John Doe <john.doe@example.com>

That isn’t all that pretty, and in this case a little redundant. It also takes more precious space on mobile devices. So today many clients simply display:

From: John Doe

But suppose someone wanted to pose as Mr. Doe? They could very easily send a message with a From header field like this (of course, substituting example.org with their own email domain):

From: John Doe <impostor@example.org>

On many email clients, this will display exactly like an actual message from the real John Doe.

What could be done about it? Obviously, this is an area that warrants some real usability research and a lot of users will need to be trained. But here are a few possibilities:

Verify the address against the user’s address book. If it doesn’t match, display the sender’s name in a distinctive way, e.g. in red, with a big X, etc. Obviously there would be issues with someone in the address book as John Doe sending a message as Johnny Doe, but that can be handled too.

Do the same as #1 but do something like the blue checkmark on Twitter: display something distinctive saying the message came from an address you recognize. The problem here is that meaning of the checkmark would be different: not verified by some central authority, but by one’s own address book.

Display the email address, either with or instead of the friendly name, if it doesn’t match.

There is some risk of just “kicking the problem down the road”, however. If this becomes really effective, address book attacks would become useful. Attackers would try to trick you into accept address book entries (typically .vcf files) from them, and these might enable them to more plausibly pose as a trusted (or at least known) contact.

No matter what we do, some users will ignore it, and we can’t fix that. But we can, and should, give users the tools to easily spot messages that they should treat with more suspicion.